quasar | 0ab7a336a35fc4e3472968e07b1b4c43254585d6879cbe9e1ea9323b96c1f074

General

Target

287b678f74eae9dacfc22cf4928227cc.bin
Size

1.3MB
Sample

230507-arw6daec5t
MD5

fc885c7aef8a32b28ba3396becab1f79
SHA1

a68cefd055099fc0db8d3c7654c16725b2fd4e8b
SHA256

0ab7a336a35fc4e3472968e07b1b4c43254585d6879cbe9e1ea9323b96c1f074
SHA512

c8e7e38e861cc97f702328be13b9aed789140de14b86c857045a9e5607b66eb245e51297e2fb5b4d83afb16e0c53ae332c35f9758b339edcac9caafb5874f36a
SSDEEP

24576:EZx5Y6tXucdiJsGz9V2MSqJWoPe8ICTw2C2XQHqx8441VGx:q7XBiJrz9V2cwrrPeQHqx844rGx

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

C2

41.185.97.216:4782

Mutex

MUTEX_KMkEYpkuWKDvhVsEcT

Attributes

encryption_key
kbnBYlo1Zoug7VQGhNv1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Targets

- Target
  
  efbe462f4a296b1339e67659670384617fd29e48c998db6cab6ffc601a0d1f19.exe
- Size
  
  2.4MB
- MD5
  
  287b678f74eae9dacfc22cf4928227cc
- SHA1
  
  79e66f603dcf22e2223636118aa4e68bb696d956
- SHA256
  
  efbe462f4a296b1339e67659670384617fd29e48c998db6cab6ffc601a0d1f19
- SHA512
  
  2cc7a98d6ef5d140a32863dec4df40d3822fcdb09dcd2262c614ae34b2a2956257feab1d20a66ea2c81ab6f3c35186fa208c9c4af023b9f082e8d517d58b3c2b
- SSDEEP
  
  24576:yiE0BwNL6HwaygQ94d3qhHOeCmzL3Nlz4+laTT/h7fJ4kCLi+nDLgDnbSTSHcdJV:dxAWwah3xIL3fz4+laTT1BCeK6STS8F
Score

10^/10

quasar success persistence spyware trojan redline infostealer stealer
- Detects Redline Stealer samples
  This rule detects the presence of Redline Stealer samples based on their unique strings.
  stealer
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects Redline Stealer samples

Quasar RAT

Quasar payload

RedLine

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2